Developing Advanced Privacy Protection Mechanisms for Connected Automotive User Experiences

The transportation industry is experiencing an unprecedented revolution. This revolution is being led by the rapid development of connected and automated vehicle (CAV) technologies together with cloud-based mobility services featured with huge amount of data being generated, collected,and utilized. This big data trend provides not only business opportunities but also challenges. One of the challenges is data privacy which is inherently unavoidable due to the information sharing nature of such mobility services and the advancement in data analytics. In this thesis, privacy issues and corresponding countermeasure that related to connected vehicle landscape are comprehensively studied. First of all, an overview of the landscape of emerging mobility services is provided and several typical connected vehicle services are introduced. Then we analyze and characterize data that can be collected and shared in these services and point out potential privacy risks. In order to protect user privacy while ensuring service functionality, we develop novel privacy protection mechanisms for connected automotive user experiences. Specifically, we consider the whole life cycle of data collection and sharing. To support privacy preserving data collection, we design fine-grained and privacy-aware data uploading policies that ensure the balance between enforcing privacy requirements and keeping data utility, and implement a prototype that collects data from vehicle, smartphone, and smartwatch securely. To support privacy preserving data sharing, we demonstrate two kinds of risks, additional individual information inference and user de-anonymization, during data sharing through concrete attack designs. We also propose corresponding countermeasures to defend against such attacks and minimize user privacy risks. The feasibility of such attacks and our defense strategies are evaluated with real world vehicular data.Master of ScienceComputer and Information Science, College of Engineering & Computer ScienceUniversity of Michigan-Dearbornhttps://deepblue.lib.umich.edu/bitstream/2027.42/143518/1/thesis_Huaxin_Apr24_FontEmbed.pdfDescription of thesis_Huaxin_Apr24_FontEmbed.pdf : Thesi

Security and Privacy Threats on Mobile Devices through Side-Channels Analysis

In recent years, mobile devices (such as smartphones and tablets) have become essential tools in everyday life for billions of people all around the world. Users continuously carry such devices with them and use them for daily communication activities and social network interactions. Hence, such devices contain a huge amount of private and sensitive information. For this reason, mobile devices become popular targets of attacks. In most attack settings, the adversary aims to take local or remote control of a device to access user sensitive information. However, such violations are not easy to carry out since they need to leverage a vulnerability of the system or a careless user (i.e., install a malware app from an unreliable source). A different approach that does not have these shortcomings is the side-channels analysis. In fact, side-channels are physical phenomenon that can be measured from both inside or outside a device. They are mostly due to the user interaction with a mobile device, but also to the context in which the device is used, hence they can reveal sensitive user information such as identity and habits, environment, and operating system itself. Hence, this approach consists of inferring private information that is leaked by a mobile device through a side-channel. Besides, side-channel information is also extremely valuable to enforce security mechanisms such as user authentication, intrusion and information leaks detection. This dissertation investigates novel security and privacy challenges on the analysis of side-channels of mobile devices. This thesis is composed of three parts, each focused on a different side-channel: (i) the usage of network traffic analysis to infer user private information; (ii) the energy consumption of mobile devices during battery recharge as a way to identify a user and as a covert channel to exfiltrate data; and (iii) the possible security application of data collected from built-in sensors in mobile devices to authenticate the user and to evade sandbox detection by malware. In the first part of this dissertation, we consider an adversary who is able to eavesdrop the network traffic of the device on the network side (e.g., controlling a WiFi access point). The fact that the network traffic is often encrypted makes the attack even more challenging. Our work proves that it is possible to leverage machine learning techniques to identify user activity and apps installed on mobile devices analyzing the encrypted network traffic they produce. Such insights are becoming a very attractive data gathering technique for adversaries, network administrators, investigators and marketing agencies. In the second part of this thesis, we investigate the analysis of electric energy consumption. In this case, an adversary is able to measure with a power monitor the amount of energy supplied to a mobile device. In fact, we observed that the usage of mobile device resources (e.g., CPU, network capabilities) directly impacts the amount of energy retrieved from the supplier, i.e., USB port for smartphones, wall-socket for laptops. Leveraging energy traces, we are able to recognize a specific laptop user among a group and detect intruders (i.e., user not belonging to the group). Moreover, we show the feasibility of a covert channel to exfiltrate user data which relies on temporized energy consumption bursts. In the last part of this dissertation, we present a side-channel that can be measured within the mobile device itself. Such channel consists of data collected from the sensors a mobile device is equipped with (e.g., accelerometer, gyroscope). First, we present DELTA, a novel tool that collects data from such sensors, and logs user and operating system events. Then, we develop MIRAGE, a framework that relies on sensors data to enhance sandboxes against malware analysis evasion